diff options
author | Stefan Hajnoczi <stefanha@redhat.com> | 2015-07-15 17:34:40 +0100 |
---|---|---|
committer | Stefan Hajnoczi <stefanha@redhat.com> | 2015-08-03 13:08:06 +0100 |
commit | c6296ea88df040054ccd781f3945fe103f8c7c17 (patch) | |
tree | 3a0f9edad012db59b2f9dfc60849aee22d7c6e01 /hw/net | |
parent | 03247d43c577dfea8181cd40177ad5ba77c8db76 (diff) |
rtl8139: check IP Total Length field (CVE-2015-5165)
The IP Total Length field includes the IP header and data. Make sure it
is valid and does not exceed the Ethernet payload size.
Reported-by: 朱东海(启路) <donghai.zdh@alibaba-inc.com>
Reviewed-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Diffstat (limited to 'hw/net')
-rw-r--r-- | hw/net/rtl8139.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c index 4eaa352f1a..6859d7684e 100644 --- a/hw/net/rtl8139.c +++ b/hw/net/rtl8139.c @@ -2191,7 +2191,12 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s) } ip_protocol = ip->ip_p; - ip_data_len = be16_to_cpu(ip->ip_len) - hlen; + + ip_data_len = be16_to_cpu(ip->ip_len); + if (ip_data_len < hlen || ip_data_len > eth_payload_len) { + goto skip_offload; + } + ip_data_len -= hlen; if (txdw0 & CP_TX_IPCS) { |